It looks like there is no brute-force protection on the TOTP implementation, without which it is quite vulnerable (i.e. can be brute-forced within a few hours/days in a typical setup). See https://lukeplant.me.uk/blog/posts/6-digit-otp-for-two-factor-auth-is-brute-forceable-in-3-days/ for more info, and this commit for django-otp where I fixed the issue with exponential backoff throttling (it may have evoloved since then).